TL;DR
PHP 5.3.x is old and has weak built-in hashing options. Use the password_compat library to get modern, secure password hashing with bcrypt or Argon2id. Avoid using MD5 or SHA1 for passwords.
Step-by-step Guide
- Understand the Problem: PHP 5.3.x’s native password hashing functions (
md5(),sha1()) are no longer considered secure. They are too fast to crack with modern hardware. You need a stronger algorithm and proper salting. - Install Password Compat: The password_compat library provides bcrypt and Argon2id implementations for older PHP versions. Download the latest release from GitHub (releases page). Place
password.phpin your project’s root directory or a suitable include path. - Include the Library: At the top of your PHP file, include the library:
- Hashing Passwords (bcrypt): Use
password_hash()to create a hash. bcrypt is generally recommended for its security and widespread support. - Verifying Passwords (bcrypt): Use
password_verify()to check if a submitted password matches the stored hash. - Hashing Passwords (Argon2id): Argon2id offers better resistance to GPU cracking but requires more resources. Use it if your server can handle the load.
- Verifying Passwords (Argon2id): Verification is the same as with bcrypt.
- Important Considerations:
- Salting is handled automatically: The
password_compatlibrary handles salting for you. You don’t need to manually generate and store salts. - Cost Factor: bcrypt has a cost factor (the number of rounds). The default is usually sufficient, but you can increase it if your server allows for faster hashing speeds. Argon2id also has parameters that affect performance and security.
- Database Storage: Store the full hash string returned by
password_hash()in your database. Do *not* store the original password. - Upgrade PHP: The best solution is to upgrade to a modern version of PHP (7.0 or later) which has built-in, secure hashing functions without needing external libraries.
- Salting is handled automatically: The